[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: DIGEST-MD5 and {nonce,cnonce} (fwd)



On Mon, 25 Oct 1999, Howard Chu wrote:

> > > > To be blunt: using gettimeofday to get SECURE random numbers
> > is a really
> > > > BAD idea! Most operating systems have much better ways to get
> > random numbers
> > > > (for example /dev/random). These specifically have been developed with
> > > > security in mind, so use them!
> > >
> > >         Yeah, but I am thinking in terms of portability. Is reading from
> > > /dev/random portable enough? AFAIK, linux supports it, but Solaris does
> > > not.
> > >         Maybe I shouldn't think of portability now, and just use
> > > /dev/random.
> >
> > I hope you think of both! :-) . OpenLDAP is a multi platform
> > effort, so keeping
> > things portable is desirable.  Unfortunately there isn't a
> > standard for getting
> > secure random numbers.
> 
> I personally like generating seek offsets into the swap partition, and
> getting bytes from there. I.e., use a PRNG to generate the seek offsets.

	Yes, but ideally, systems should not swap too often, so it's
difficult to guarantee that you really generate something that is 'more
random' than the PRNG.